An active malware campaign has set its sights on Facebook and YouTube users by leveraging a new information stealer to hijack the accounts and abuse the systems’ resources to mine cryptocurrency.
Bitdefender is calling the malware S1deload Stealer for its use of DLL side-loading techniques to get past security defenses and execute its malicious components.
“Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency, and propagates the malicious link to the user’s followers,” Bitdefender researcher Dávid ÁCS said.
Put differently, the goal of the campaign is to take control of the users’ Facebook and YouTube accounts and rent out access to raise view counts and likes for videos and posts shared on the platforms.
More than 600 unique users are estimated to have been impacted during the six-month period between July and December 2022. A majority of the infections are located in Romania, Turkey, France, Bangladesh, Mexico, Peru, and Canada.
To pull off the scheme, users are lured with adult-themed content via Facebook posts that contain links to ZIP archives, which, when extracted, triggers an intricate infection sequence leading to the deployment of the malware.
“The malware author can therefore create a feedback loop: the more PCs they can infect, the more they can spam on Facebook, the more clicks they can generate to infect more PCs,” Bitdefender said.
Besides being capable of downloading additional modules on the compromised host, the malware is also responsible for launching a headless Chrome browser that makes use of an extension to artificially inflate YouTube video views.
The stealer further captures saved credentials and cookies from web browsers, conducts Facebook profile checks, and also loads a cryptojacker that mines cryptocurrency without the victim’s knowledge or consent.
Bitdefender said it found infrastructure overlaps with a website called upview[.]us that advertises options to buy YouTube views, likes, and subscribers as well as options to increase Facebook post likes, comments, followers, and video views.
“S1deload stealer has serious privacy implications for the victim infected with it,” the Romanian company said. “The malware exfiltrates the victim’s saved credentials, including email, social media or even financial accounts. The threat actor can access these accounts or sell them on the dark web.”